Prior to his post at DMDII, Subramanian was director of risk and compliance at Uptake Technologies where he led data privacy, risk and information-security initiatives in addition to helping secure newly procured technology. Before Uptake, he worked with Trustwave helping Fortune 1000 companies become compliant with the Payment Card Industry Data Security Standard.security expert Koushik Subramanian was named director of its National Center for Cybersecurity in Manufacturing, which launched in March with $750,000 in seed funding from the U.S. Department of Defense.

DMDII's Koushik Subramanian

“We are thrilled to welcome Koushik to the team to guide the National Center for Cybersecurity in Manufacturing as we ramp up our cybersecurity activities,” said Caralynn Collens, CEO of UI LABS, which hosts the DMDII. “His experience in the industrial IoT space will be invaluable as we continue to address the unique security needs of the connected factory for defense manufacturers and other corporate partners.”

Before we tour DMDII in September during the 2018 Smart Industry Conference, we chatted with Koushik to get his perspective on manufacturing vulnerabilities and cybersecurity concerns in the era of digital transformation. Take a look…

Smart Industry: Why are you joining this new initiative?

Koushik: I love challenges and puzzles. I have spent my entire career in cybersecurity and risk and I was fortunate to be a part of the digital transformation in the payment industry, which shares many parallels with the manufacturing industry. As attacks on the manufacturing industry increase, we need to find innovative and cost-effective ways to protect manufacturers that commonly lack resources or access to talent to help mitigate cyber-risks. It is a huge challenge to elevate the security posture across the entire manufacturing base. DMDII is where manufacturers forge their futures, and integrating cybersecurity strategies into their planning will be of the utmost importance.

What excites me the most is the 24,000 square-foot testbed here, which is filled with manufacturing technology that I can perform penetration testing on. Performing penetration testing on a commercial manufacturer can be difficult, as you have to get buy-in from management, limit the scope of testing, and test during off-hours. By having our own non-commercial testbed of manufacturing equipment, we are no longer limited and can perform more in-depth testing and find ways to mitigate security vulnerabilities and test remediation strategies at a much quicker pace.

2017 Smart Industry Conference attendees tour DMDII

Smart Industry: What is unique about cybersecurity in the manufacturing space?

Koushik: As manufacturers adopt more digital technologies, there is a need for connectivity and communications, which brings risk. There are also a lot of tools out there for securing iformation technology but not for operational technology.

The most common challenges are lack of resources, awareness, and access to talent. Many SMMs do not understand cybersecurity at the level that it warrants because they have not been forced to adhere to any standard other than the contracts that keep them in business.

Smart Industry: Why do hackers target manufacturing?

Koushik: A 2017 Verizon Data Breach Investigations Report found that 35% of all cyber-espionage attacks in the US are now targeted at the manufacturing sector, the largest of any single sector. These are nation-state affiliated attacks that are often looking to steal intellectual property as in the case of the recently publicized attack where Chinese Hackers stole unclassified data from a Navy contractor. There are huge implications here, specifically for manufacturers in the Department of Defense supply chains as the hacking of this information allows our adversaries to leapfrog our military innovation and provide insights into our plans, which allows them to more adequately develop counter measures. The attacks here are a matter of national security.

Another interesting point to note is that U.S. manufacturers perform more than three quarters of all private sector R&D, which drives more innovation than any other sector. This innovation makes manufacturers a target for those looking for competitive product advantage. Again, this is largely a case of IP theft, but there are also attacks that have the ability to shut down manufacturers, modify production parameters that can compromise product integrity, can threaten worker safety, and in some cases cause the safety of entire communities depending on the nature of the attack.

It is hard to say if hackers focus on a specific field, but the hacker mindset is to either go after low-hanging fruit or go after something very specific, such as design documents for DoD supply chain manufacturers.

There is a focus on small enterprises as hackers are often looking for the path of least resistance; many small manufacturers do not have strong cybersecurity practices in place, making it easy to get information. Also, when we consider the makeup of the manufacturing sector, more than 70% of the industrial base is comprised of companies with fewer than 20 employees. These companies make up the supply chains of the large companies.

Smart Industry: Does security-vulnerability inhibit digital transformation among manufacturers? Are business owners scared of the IIoT?

Koushik: I would not say that security vulnerabilities inhibit, but they add risk to the digital transformation that American manufacturers are undergoing. This risk is commonly financial or reputational. Manufacturers want to produce goods as efficiently and cost-effectively as they can, so uptime and process improvements tend to take priority over cybersecurity.

I think that business owners who understand the basics of cyber-risk are scared of the Industrial Internet of Things, but many may be distracted by all of the positives that IIoT brings to their business, such as automation. It is easy to be scared because there are still a lot of unknowns and that is precisely why we are developing tools that aid in their digital journey.

Koushik: Awareness building–We are about to launch a survey surrounding cybersecurity practices in the manufacturing industry. The level of detail and insights that we will gain can help spread awareness across the industry. DMDII will also look to build awareness through integrating cybersecurity use cases on our testbed, which attracts more than 12,000 people per year. The integration of these use cases will bring cybersecurity threats to life and shine a light on why investing in cybersecurity is critical to the competitiveness of U.S. manufacturing.

Workforce Development–We are building cybersecurity-training programs geared toward American manufacturers and their needs. We are looking to leverage our manufacturing testbed to be able to show manufacturers real-world cybersecurity threats, allow them to interact with these threats hands-on, and then in the same day empower them to take steps to mitigate these threats. There is a strong need to help manufacturers understand where to start on their cybersecurity journey and help them make meaningful improvements to their practices overtime. Cybersecurity is especially daunting to many small manufacturers and there is a lack of clarity on where to begin.

Low-cost tool development–We plan to develop tools that can automate the process of assessing and reacting to cyber vulnerabilities and expect to have announcements over the next several months on the specifics.

Smart Industry: What concerns you most about the near future of cybersecurity? What most excites you?

Koushik: The threat landscape is always evolving, and it is very much a black box. The unknown is what excites me.

We are poised to bring together the government, manufacturers of all sizes, and academia to make a measurable impact in the cybersecurity practices across the manufacturing sector. This cooperation is exciting and has the power to unlock huge economic potential for this country especially when we start to think of cybersecurity as an enabler to digital technologies.

Smart Industry: What cybersecurity tools/technologies/elements can people see on a tour of DMDII?

Koushik: With our 24,000 square-foot testbed for manufacturing equipment we plan to perform penetration testing on the equipment to show real-world cases of how cyber-attacks could unfold.